CBUAE Law 3057

Reading time: 5 minutes

The Central Bank of the UAE (CBUAE), through CBUAE/FCMCP/2025/3057, has set a new benchmark for brand protection and digital risk governance across Licensed Financial Institutions (LFIs).

This is not just a compliance exercise it represents a fundamental shift toward proactive, intelligence-led defense against impersonation, fraud, and digital abuse across the entire online ecosystem.

Regulatory Milestones

LFIs must align to strict timelines:

31 March 2026 → Full implementation of brand monitoring controls

30 June 2026 → Completion of the first Digital Impersonation Risk Assessment

These timelines emphasize urgency institutions must move from reactive takedowns to continuous monitoring and prevention.

Scope of Monitoring: A Holistic Digital Footprint

CBUAE expects LFIs to monitor all channels where their brand can be abused or impersonated, including:

1. Domains, DNS & Web Infrastructure

• Typo-squatting and homoglyph domains
• Misleading subdomains and lookalike websites
• Dangling DNS records and orphaned assets vulnerable to hijacking
• Unauthorized SSL/TLS certificates (via certificate transparency monitoring)
• Suspicious hosting infrastructure and phishing kits

LFIs must maintain a complete inventory of domains, subdomains, and digital assets, supported by:

• Defensive domain registrations
• Continuous monitoring for new registrations
• Rapid investigation and takedown workflows

2. Email Security & Brand Spoofing Protection

A critical control area under the regulation:

• Implementation of SPF, DKIM, and DMARC
• Enforcement of DMARC policy = “reject” or “quarantine” for consumer-facing domains
• Cryptographic signing of outbound emails
• Protection of mail infrastructure, keys, and configurations

Additionally:

• Domains that do not send emails must still be protected to prevent spoofing
• Continuous monitoring of authentication failures and spoofing attempts is required

3. Social Media, Messaging & Emerging Channels

Monitoring must extend to:

• All major and emerging social media platforms
• Content formats: posts, reels, livestreams, comments, and direct messages
• Fake customer support accounts and impersonation profiles
• Scam campaigns conducted via messaging apps and OTT platforms
• AI-generated or deepfake impersonation (voice/video)

4. Search Engines, Ads & Malicious Campaigns

LFIs must detect:

• Fraudulent paid advertisements impersonating the institution
• Abuse of brand keywords in search engines
• Malicious redirects and credential-harvesting landing pages
• Coordinated scam funnels targeting customers

5. Mobile Applications & Digital Distribution Channels

Monitoring expectations include:

• Fake banking or wallet apps
• Misleading apps using LFI branding
• Third-party repositories distributing fraudulent applications
• Apple App Store, Google Play Store, and alternative marketplaces

6. Online Marketplaces & Public Web

• Fraudulent financial products advertised online
• Unauthorized promotions linked to the LFI brand
• Scam websites targeting customers with misleading offers

7. Card Fraud & Consumer Targeting Risks

A notable expansion in scope is active monitoring of card-related fraud, including:

• Fake “card offers” and counterfeit product pages
• Fraudulent card application journeys

Scams involving:

• OTP harvesting
• Fake upgrades, refunds, limit increases
• Reward redemption fraud

• Impersonation of card operations or customer support

Key Risk Categories Defined by CBUAE

LFIs must formally address and respond to:

• Brand abuse / digital impersonation
• Domain misuse (lookalike domains, DNS abuse)
• Fake ads and malicious campaigns
• Phishing and social engineering attacks
• Deepfake and AI-driven impersonation threats
• Material impersonation incidents (as defined in regulatory thresholds)

Monitoring Expectations: Continuous, Adaptive & Intelligence-Led

CBUAE requires monitoring programs to be:

• Continuous → Especially for high-risk channels (domains, ads, social media, app stores)
• Adaptive → Evolving with new platforms and threat patterns
• Integrated → Connected with:

• Fraud operations
• Cybersecurity teams
• Threat intelligence
• Incident response
• Consumer support

Minimum Monitoring Capabilities:

• Brand keyword tracking (including variations, transliterations)
• Logo and asset recognition
• Detection of suspicious domains and registrations
• Identification of fake ads and malicious redirects
• Discovery of impersonation accounts and scam campaigns
• Correlation of alerts to identify coordinated fraud campaigns

Operational & Technical Control Requirements

LFIs must implement:

• Strong access controls for domain registrars, DNS, and certificate authorities
• Role-based access and periodic reviews
• Secure key management and cryptographic controls
• Evidence retention for monitoring, investigations, and remediation
• Certificate transparency monitoring and alerting

End-to-End Incident Management Framework

A documented and auditable process is mandatory, covering:

1. Detection & Triage

Identification and prioritization of brand abuse events

2. Evidence Preservation

Domains, URLs, screenshots, ad references, handles

3. Impact Assessment

Customer exposure and potential financial risk

4. Disruption & Takedown

Engagement with:

Registrars and hosting providers

Social media platforms

Telecom operators

Relevant authorities

5. Communication

Secure and verified communication with affected customers

6. Post-Incident Review

Root cause analysis

Control gap identification

Remediation and enhancement

7. Coordination with Cybersecurity

Alignment with incident response when:

• Credential compromise occurs
• Malware or phishing infrastructure is involved
• Internal systems are at risk

Digital Impersonation Risk Assessment

By 30 June 2026, LFIs must conduct their first formal assessment, covering:

• Exposure across all monitored channels
• Effectiveness of detection and response controls
• Threat landscape and emerging risks (e.g., AI/deepfakes)
• Gaps in governance, tooling, and processes

Strategic Takeaway

CBUAE Law 3057 reinforces a critical message:

Brand protection is now a core component of financial crime risk management and cybersecurity strategy.

LFIs must transition toward:

• Proactive detection vs reactive response
• Automation and intelligence-led monitoring
• Cross-functional collaboration (fraud, cyber, compliance)
• Consumer-centric protection strategies

Institutions that embed these capabilities effectively will not only achieve compliance—but will also enhance trust, resilience, and digital integrity in an increasingly complex threat landscape.

The author is Director, Cyber Threat Management, Crowe UAE and can be reached at [email protected] for guidance and steps to be taken to comply with the law.